What is dnscrypt

Modern open router firmwares such as Tomato Shibby and other Tomato variants include a DNSCrypt client out-of-the box. The dnscrypt-proxy client is also available on OpenWRT which has a wiki page on using DNSCrypt on OpenWRT. dnscrypt-proxy can also be found in Entware. It can also be compiled for any Linux-based target, running an Intel, Mips or ARM CPU.

DNSCrypt

DNS is one of the fundamental building blocks of the Internet. It’s used any time you visit a website, send an email, have an IM conversation or do anything else online. While OpenDNS has provided world-class security using DNS for years, and OpenDNS is the most secure DNS service available, the underlying DNS protocol has not been secure enough for our comfort. Many will remember the Kaminsky Vulnerability, which impacted nearly every DNS implementation in the world (though not OpenDNS).

That said, the class of problems that the Kaminsky Vulnerability related to were a result of some of the underlying foundations of the DNS protocol that are inherently weak — particularly in the “last mile.” The “last mile” is the portion of your Internet connection between your computer and your ISP. DNSCrypt is our way of securing the “last mile” of DNS traffic and resolving (no pun intended) an entire class of serious security concerns with the DNS protocol. As the world’s Internet connectivity becomes increasingly mobile and more and more people are connecting to several different WiFi networks in a single day, the need for a solution is mounting.

There have been numerous examples of tampering, or man-in-the-middle attacks, and snooping of DNS traffic at the last mile and it represents a serious security risk that we’ve always wanted to fix. Today we can.

Why DNSCrypt is so significant

In the same way the SSL turns HTTP web traffic into HTTPS encrypted Web traffic, DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks. It doesn’t require any changes to domain names or how they work, it simply provides a method for securely encrypting communication between our customers and our DNS servers in our data centers. We know that claims alone don’t work in the security world, however, so we’ve opened up the source to our DNSCrypt code base and it’s available on GitHub.

DNSCrypt has the potential to be the most impactful advancement in Internet security since SSL, significantly improving every single Internet user’s online security and privacy.

Note: Looking for malware, botnet and phishing protection for laptops or iOS devices? Check out Umbrella Mobility by OpenDNS.

Download Now:

Frequently Asked Questions (FAQ):

1. In plain English, what is DNSCrypt?

DNSCrypt is a piece of lightweight software that everyone should use to boost online privacy and security. It works by encrypting all DNS traffic between the user and OpenDNS, preventing any spying, spoofing or man-in-the-middle attacks.

2. How can I use DNSCrypt today?

We’ve opened up the source to our DNSCrypt code base and it’s available on GitHub. The graphical interfaces are no longer in development; however, the open source community is still providing unofficial updates to the technical preview.

Tips:
If you have a firewall or other middleware mangling your packets, you should try enabling DNSCrypt with TCP over port 443. This will make most firewalls think it’s HTTPS traffic and leave it alone.

If you prefer reliability over security, enable fallback to insecure DNS. If you can’t reach us, we’ll try using your DHCP-assigned or previously configured DNS servers. This is a security risk though.

3. What about DNSSEC? Does this eliminate the need for DNSCrypt?

No. DNSCrypt and DNSSEC are complementary. DNSSEC does a number of things. First, it provides authentication. (Is the DNS record I’m getting a response for coming from the owner of the domain name I’m asking about or has it been tampered with?) Second, DNSSEC provides a chain of trust to help establish confidence that the answers you’re getting are verifiable. But unfortunately, DNSSEC doesn’t actually provide encryption for DNS records, even those signed by DNSSEC. Even if everyone in the world used DNSSEC, the need to encrypt all DNS traffic would not go away. Moreover, DNSSEC today represents a near-zero percentage of overall domain names and an increasingly smaller percentage of DNS records each day as the Internet grows.

That said, DNSSEC and DNSCrypt can work perfectly together. They aren’t conflicting in any way. Think of DNSCrypt as a wrapper around all DNS traffic and DNSSEC as a way of signing and providing validation for a subset of those records. There are benefits to DNSSEC that DNSCrypt isn’t trying to address. In fact, we hope DNSSEC adoption grows so that people can have more confidence in the entire DNS infrastructure, not just the link between our customers and OpenDNS.

4. Is this using SSL? What’s the crypto and what’s the design?

We are not using SSL. While we make the analogy that DNSCrypt is like SSL in that it wraps all DNS traffic with encryption the same way SSL wraps all HTTP traffic, it’s not the crypto library being used. We’re using elliptic-curve cryptography, in particular the Curve25519 elliptic curve. The design goals are similar to those described in the DNSCurve forwarder design.

DNSCrypt

DNSCrypt is a protocol that authenticates communications between a DNS client and a DNS resolver. It prevents DNS spoofing. It uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven’t been tampered with.

It is an open specification, with free and open source reference implementations, and it is not affiliated with any company nor organization.

Free, DNSCrypt-enabled resolvers are available all over the world

A couple companies, organizations and individuals are operating public recursive DNS servers supporting the DNSCrypt protocol, so that all you need to run is a client.

A constantly updated list of open DNSCrypt resolvers can be downloaded to replace the default CSV file shipped with the dnscrypt-proxy client.

If you are running your own public DNS resolver in order to help make the Internet a more secure place, please submit a pull request to have your resolver added to the list of public DNS resolvers.

Installing a DNSCrypt client

DNSCrypt itself is not a product, but a protocol that anyone can implement. Portable implementations are also available, on top on which graphical user interfaces and convenient tools have been built.

Choose your platform to discover some of the available options: Windows – macOS – Linux / BSD – Android – iOS or run the software on a router.

Firewall setup: although some resolvers may prefer a different port, the default port used by the DNSCrypt protocol is 443. Outgoing queries to this port on both TCP and UDP should be allowed by your firewall.

Testimonials

“DNScrypt is a very secure protocol that is helping build a safer web” ( James Awland – BestCasino.co.uk)

“In testing, we have found DNSCrypt to be incredibly stable and we encourage its use” (Cisco)

“We highly recommend DNScrypt to those looking to access the best new casino sites” (Aidan Howe – BestCasinoSites.net)

DNSCrypt for Windows

  • Simple DNSCrypt is an an all-in-one, easy-to-use, standalone client.
  • DNSCrypt WinClient is the original DNSCrypt user interface for Windows.
  • dnscrypt-proxy is the reference client implementation and works natively on Windows, from Windows XP to Windows 10. It runs as a service, and does not provide a graphical user interface; its installation and its configuration require typing commands. This remains an excellent option for advanced users.

Important: We are aware of fake packages pretending to be DNSCrypt Windows clients, that actually contain Malware/Potentially Unwanted Program (PUP). Do not download anything that pretends to be a DNSCrypt client from torrents, links in YouTube videos or unofficial download locations.

DNSCrypt for macOS

  • DNSCrypt-OSXClient is an easy-to-use, full-featured, self-contained graphical user interface for macOS.
  • dnscrypt-proxy is the reference client implementation and works natively on recent macOS versions. Users familiar with the command-line can use Homebrew to install the software.

DNSCrypt in the Yandex web browser

The Yandex web browser is a free, fast and secure web browser.

It scans files and website for viruses, blocks fraudulent webpages, protects your passwords and bank card details, and keeps your online payments safe from theft.

DNSCrypt for Android

Running DNSCrypt on Android currently requires a rooted device. If you don’t know how to root an Android device, the xda-developers forum is a good place to start.

  • If you want to change the DNSCrypt resolver, unzip the downloaded archive, edit the RESOLVER_NAME variable in system/etc/init.d/99dnscrypt . Keep the content as a ZIP file, with the original structure.
  • Upload the ZIP file to the device, into /sdcard or any location you can write to.
  • Make sure that you have a custom recovery such as TWRP or CWM. The easiest way is to download and install TWRP Manager from the the official twrp.me website. Reboot now in ‘recovery mode’ and install the ZIP file.
  • Reboot.
  • Download and install Universal Init.d from the Google Play Store, if you’re on a custom Kernel or aftermark firmware this isn’t necessary since e.g. LineageOS comes with integrated support for it. In case you don’t know if you have init.d support, open the app and follow the instructions until you see Your Kernel Has init.d Support .
  • The DNSCrypt proxy should be running at this point, but your device still use the previous DNS settings. There currently four (paid) apps which can change this behaviour, AdGuard (VPN tunnel) NetGuard (VPN tunnel), DNS Manager Pro (VPN tunnel) and Override DNS (a DNS changer). Choose one of them and download it from Google Play Store. In order to actually use DNSCrypt, enter 127.0.0.1 as the primary DNS resolver. AdGuard and NetGuard requiring you to change some additional settings (see screenshots). In order to stop DNSCrypt, just disable the apps or leave the DNS resolver field empty.
  • DNS changes may not be visible immediately. Android has its integrated DNS cache and web browsers such as Chrome have another layer of DNS caching. In order to clear Chrome’s DNS cache, enter chrome://net-internals/#dns in the URL bar, and press Clear host cache.
  • Starting the daemon on Android
  • How to install DNSCrypt on Android

DNSCrypt for iOS

For jailbroken iOS device, GuizmoDNS is an app to change DNS settings (for 3G/4G and Wifi), with support for DNSCrypt. It is available on Cydia. The command-line dnscrypt-proxy client is also available on Cydia. However, the version on Cydia might not be the latest one. Official pre-compiled binaries of the latest version are available on the page. The DNSCrypt source code can also be compiled out of the box for iOS devices, using the provided dist-build/ios.sh script. With the introduction of the Network Extension Framework in iOS 9, it may be possible to write a DNSCrypt client app that would run everywhere, without requiring a jailbroken device.

DNSCrypt for routers

Modern open router firmwares such as Tomato Shibby and other Tomato variants include a DNSCrypt client out-of-the box. The dnscrypt-proxy client is also available on OpenWRT which has a wiki page on using DNSCrypt on OpenWRT. dnscrypt-proxy can also be found in Entware. It can also be compiled for any Linux-based target, running an Intel, Mips or ARM CPU.

dnscrypt-proxy

The most popular client DNSCrypt implementation is dnscrypt-proxy. It can be used on its own, or through one of the graphical user interfaces listed above. dnscrypt-proxy implements the latest revision of the protocol and works on many platforms, including Windows, macOS, Linux, OpenBSD, FreeBSD, NetBSD, Android and iOS. It can be extended with plugins. For more information on dnscrypt-proxy, please refer to the dedicated wiki.

Alternative clients, installation scripts and GUIs for Unix

  • DNSCrypt-Loader is a console-based tool to manage the DNSCrypt proxy client on Linux. It requires a minimal amount of dependencies, has an always up-to-date list of resolvers, and can automatically change the DNS settings to use DNSCrypt.
  • Pcap_DNSProxy is a very fast DNS proxy. It includes a DNSCrypt client implementation.

Take control of your DNS traffic

Aside from implementing the protocol, common DNSCrypt clients give a lot of control on the DNS traffic.

  • Review the DNS traffic originating from your network in real time, and detect compromised hosts and applications phoning home
  • Locally block ads, trackers, malware, spam, and any website whose domain names or IP addresses match a set of rules you define.
  • Prevent queries for local zones from being leaked.
  • Reduce latency by caching responses and avoiding requesting IPv6 addresses on IPv4-only networks.
  • Force traffic to use TCP, to route it through TCP-only tunnels or Tor.

Signature verification

Files (source code tarballs, precompiled binaries, list of resolvers) can be verified with the Minisign tool and the following command:

$ minisign -VP RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3 -m

Running your own DNSCrypt server

If you are running your own private or public recursive DNS server, adding support for the DNSCrypt protocol can be done by installing DNSCrypt-Wrapper, the reference server-side DNSCrypt proxy.

DNSCrypt-Wrapper can be compiled from the source code. OSX users can also use Homebrew to install it: brew install dnscrypt-wrapper .

The proxy is compatible with any DNS resolver software, including Unbound, PowerDNS Recursor and BIND.

A Docker image for dnscrypt server is also available, and is the easiest and fastest way to deploy a DNSSEC-validating, DNSCrypt-enabled caching DNS server. It includes a pre-configured Unbound server, dnscrypt-wrapper, and all the scripts required to perform key rotation and supervision.

Another option is dnsdist, a highly DNS-, DoS- and abuse-aware loadbalancer. Its goal in life is to route traffic to the best server, delivering top performance to legitimate users while shunting or blocking abusive traffic.

dnsdist can act as a DNSCrypt server when compiled with –enable-dnscrypt .

unbound, a validating, recursive, and caching DNS resolver, can also act as a DNSCrypt server when compiled with –enable-dnscrypt .

Refer to DNSCrypt Options section in unbound.conf(5) for configuration options.

Deployment

DNSCrypt is typically deployed using a pair of DNS proxies: a client proxy and a server proxy.

The client side of DNSCrypt is a proxy to which regular DNS clients can connect to. Instead of using your ISP’s DNS settings, you can just configure your network settings to use 127.0.0.1 or whatever IP address and port you configured the DNSCrypt client to listen to. The client proxy translates regular DNS queries into authenticated DNS queries, forwards them to a server running the server DNSCrypt proxy, verifies the responses, and forwards them to the client if they appear to be genuine.

The server side of DNSCrypt receives DNS queries sent by the client proxy, forwards them to a trusted DNS resolver, and signs the responses it receives before forwarding them to the client proxy.

The DNSCrypt protocol uses UDP and TCP ports 443, which are less likely to be filtered by routers and ISPs than the standard DNS port.

The local network is usually the most vulnerable network segment against active attacks such as DNS spoofing. The DNSCrypt server can run on the router, along with a modern DNS resolver. Clients can then run the client code of DNSCrypt, leveraging the router DNS resolver.

|----- Most vulnerable to attacks ------| |-- Most vulnerable to modification --| dnscrypt client dnscrypt server Laptop/workstation/phone/tablet --------> home router --------> ISP --------> the Internet |--------- Secured by DNSCrypt ---------| |------------- Secured by DNSSEC --------------|

Alternatively, companies, organizations and individuals are running public DNS resolvers supporting the DNSCrypt protocol. These can be used as an alternative to running a DNSCrypt server and a DNS resolver on the router.

For maximum protection, DNSCrypt client can run on every client device:

|----- Most vulnerable to attacks ------| |-- Most vulnerable to modification --| dnscrypt client dnscrypt server Laptop/workstation/phone/tablet --------> home router --------> ISP ----------> the Internet --------> public DNS resolver |----------------------------------- Secured by DNSCrypt -------------------------------------------| |--- Secured by DNSSEC ---| |--- Most vulnerable to logging ---|

Or if you totally trust the local network, the DNSCrypt client can run on the router instead:

|----- Most vulnerable to attacks ------| |-- Most vulnerable to modification --| dnscrypt client dnscrypt server Laptop/workstation/phone/tablet --------> home router --------> ISP ----------> the Internet --------> public DNS resolver |------------------ Secured by DNSCrypt --------------------| |--- Secured by DNSSEC ---| |--- Most vulnerable to logging ---|

Finally, you can run your own DNSCrypt server on a remote, trusted network, to get full control over what the resolver is doing and logging:

|----- Most vulnerable to attacks ------| |-- Most vulnerable to modification --| dnscrypt client dnscrypt server Laptop/workstation/phone/tablet --------> home router --------> ISP ----------> the Internet --------> private DNS resolver |----------------------------------- Secured by DNSCrypt -------------------------------------------| |--- Secured by DNSSEC ---|

Please note that DNSCrypt is not a replacement for a VPN, as it only authenticates DNS traffic, and doesn’t prevent third-party DNS resolvers from logging your activity. By design, the TLS protocol, as used in HTTPS and HTTP/2, leaks websites host names in plain text, so DNSCrypt is not enough to hide this information.

Using DNSCrypt in combination with a DNS cache

For optimal performance, the recommended way of running DNSCrypt is to run it as a forwarder for a local DNS cache, such as Unbound or PowerDNS-Recursor.

A caching resolver can provide high availability, by forwarding queries to multiple upstream DNSCrypt client proxies, configured with different providers.

dnscrypt-proxy instances and the caching resolver can safely run on the same machine as long as they are listening to different IP addresses or different ports.

If your DNS cache is Unbound, all you need is to edit the unbound.conf file and add the following lines at the end of the server section:

do-not-query-localhost: no forward-zone: name: "." forward-addr: 127.0.0.1@40 forward-addr: 127.0.0.1@41

The first line is not required if you are using different IP addresses instead of different ports. The forward-addr lines indicate addresses and ports of dnscrypt clients to use as upstream resolvers.

Then, start the two client proxies, listening to different local ports (40 and 41 in this example).

Pay attention to the fact that some resolvers do not support the DNS security extensions (DNSSEC).

If Unbound is configured to perform DNSSEC validation in combination with an upstream server that does not support DNSSEC, queries will fail. Either use only DNSCrypt resolvers with support for DNSSEC, or disable DNSSEC support in Unbound by commenting out the auto-trust-anchor-file line in its configuration.

A local caching resolver can also be extremely useful to forward queries for CDNs or internal domains to a specific resolver.

DNSCrypt for developers

The protocol specification is available and can be implemented free of charge in any product.

Individuals and organizations running DNSCrypt-enabled resolvers may also have a donation link. Please check it out on their own website.

If you use them regularly, your contribution would also help them to keep providing a great service for free.